Archive

Archive for July, 2011

Are my add-ons worth it?

July 29th, 2011 No comments

If you use Internet Explorer 9, you’ve probably noticed the new yellow notification bar. One of the things the notification bar tells you is that an add-on might slow down your computer’s performance. The notification also tells you how to disable the add-on or fix the problem.

Add-ons supplement your browser with ActiveX controls and extra features, such as toolbars.  

Some add-ons might slow down your computer, but it’s really up to you whether you want to keep using an add-on despite the slowdown. You can use the Add-On Performance Advisor to help identify add-ons that might be slowing you down.

In Internet Explorer 9, if you want to see the add-ons that are already installed, click the tools menu (gear icon ), and then click Manage Add-ons.

For more information, see:

Categories: Internet Explorer 9, security Tags:

July MSRT on web redirector malware

July 28th, 2011 No comments

​This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of ‘web redirectors’, to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats.

In terms of functionality, Win32/Tracur is a backdoor trojan with the capability to redirect web search queries. It is worth mentioning that about 99% of Win32/Tracur samples we have seen also install Win32/Dursg.

As mentioned in our earlier post "MSRT July 2011: Targeting web redirector malware", Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries. To disguise its presence, dropped files are named similarly to Windows DLLs.

Win32/Tracur
Figure 1: Snapshot of the infected Windows system folder

In the above figure, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.

Win32/Dursg installs Firefox extension
Figure 2: Malicious Firefox extension

 

Win32/Dursg installs Opera extension
Figure 3: Malicious Opera extension

Win32/Dursg has been seen to be distributed with other malwares and file infectors such as Sality, Virut, Polip, Alureon, and Tracur, to name just a few, further assisting in its wide distribution. For complete information about the behavior of both malware families, please refer to our descriptions for Win32/Tracur and Win32/Dursg in the MMPC encyclopedia.

Since the release of MSRT on July 12, we have removed 516,517 Win32/Tracur threats from 242,517 computers making this malware the top threat on the list. Another 91,041 instances of Win32/Dursg were removed from 73,166 computers.

Family
Threats
Machines
Tracur
         516,547
           242,517
Sality
         429,202
           239,353
Cycbot
         199,339
           170,889
Alureon
         125,475
             94,857
FakeRean
           90,926
             84,798
Vobfus
           90,004
             82,670
Taterf
         100,183
             77,618
Rimecud
           80,865
             74,614
Dursg
           91,041
             73,166
Brontok
           73,429
             68,370

Chart: MSRT top malware families removed in July 2011 

The big number of Tracur threats can be accounted to its dropped files. Tracur will drop modified copies of itself in the <system folder> using file names derived from existing Windows DLL names with an appended string “32”, such as hal32.dll, olecli3232.dll, olecli3232.exe, and authz32.dll.

Checking the origin of detections for Tracur, United States has the highest percentage of infections with 80%, followed by Japan, France, and Canada, accounting for 3% of detections each.

Win32/Tracur detections by country
Figure 4: Win32/Tracur detections by country

For Dursg, United States has 56% of the detected infections, followed by Turkey, Canada, and United Kingdom.

Chart 2 - Dursg detections by country
Figure 5: Win32/Dursg detections by country


As you can see, the evil twins of Tracur and Dursg are very prevalent. Microsoft Security Essentials and Microsoft Forefront Endpoint Protection both offer real-time protection to prevent you from becoming infected.

In addition you can take the extra step to be informed about the risk of search-redirecting malware as you browse the Internet. You may want to ensure a browser add-on installation is your intention in that you don’t inadvertently install a potentially dangerous web browser add-on.

We recommend using Internet Explorer 9 (IE9) for browser security and key benefits that include helping users stay in control of their browsing experience. IE9 notifies users whenever a new add-on is installed. IE9 also helps improve browsing performance by notifying users about slow-performing add-ons and making it easy for users to disable them. We find that these features help raise security awareness as well.

 

— Rodel Finones & Scott Wu, MMPC

 

PS: SHA1 hashes for both threats are listed below

Win32/Tracur:
4255ecff84049004254dadc820eed72b34cd2f06
253d163638ab72f18e4b1ebd71295b996bdbb736

Win32/Dursg:
5e12f9c1d4bc98d85167eac7c0010618ffed5a9d
a47baf291928d7a4010f66522e282700d60ec5cb

MSRC Progress Report Shows Continued Progress of MSRC Key Initiatives

July 28th, 2011 No comments

Today, the MSRC released its third annual progress report highlighting advancements of key Microsoft programs designed to help prevent and defend against online threats. The Microsoft programs featured in this paper include the following:

Each of these programs has experienced significant progress over the past year – from the introduction of a revised Exploitability Index rating system to a 29% increase in MAPP program membership. Microsoft will continue to refine these programs based on customer and industry feedback. Full details are available in the report itself – download a copy and get the full story on the MSRC’s progress since Black Hat 2010.

Some highlights from the report:

  • MAPP now has 84 security companies participating worldwide, providing protections for hundreds of millions of customers every month.
  • The recently revised Exploitability Index rating for security bulletins can help to significantly reduce the need to urgently deploy all security updates.
  • Of the 605 Exploitability Index ratings issued from October 2008 to June 2011, only 5 have been revised. Four of those revisions have involved a reduction in the Exploitability Index rating.
  • Since July 2010, MSVR has identified and disclosed 109 different software vulnerabilities affecting a total of 38 software vendors in a safe and coordinated manner.
  • Software vendors have responded and coordinated on 97 percent of all vulnerabilities reported by MSVR.
  • Microsoft’s creation of a Coordinated Vulnerability Disclosure (CVD) process for our employees last year, and publication of supporting documentation in April 2011, has been very well received by customers as evidenced by their testimonials.
  • Reaction to the participation of Adobe Systems Inc. in the MAPP program has been very positive as evidenced by our MAPP testimonials:

“Adobe is proud of its continued participation in the MAPP program and pleased with the positive feedback we’ve been getting from MAPP partners. Since the July 2010 MSRC Information Sharing report, Adobe’s participation in MAPP has grown from providing proof of concept documentation for exploits to providing full detection guidance and examples on virtually all Adobe Reader and Flash Player issues.  We are pleased with the results of our participation in MAPP and value MAPP as a great example of companies working together to share information to help protect our mutual customers. Adobe has provided detection guidance to MAPP partners on 14 security updates since we began participating in the program.”

–          Brad Arkin, Senior Director of Product Security and Privacy, Adobe Systems Incorporated

Later this week, many of us will be attending the Black Hat USA conference in Las Vegas. We’ll be at booth #203 in the exhibition hall– if you’re attending, stop by and say hello, and feel free to give your own testimonial at the video booth.

– Mike Reavey

Categories: Uncategorized Tags:

Announcing the BlueHat Prize for Advancement of Exploit Mitigations

July 28th, 2011 No comments

Protecting the general computing ecosystem is a really tough job, and given some of the media headlines, it’s easy to get discouraged and wallow in the problems. It seems like we’re constantly bombarded with statistics measuring the number of bugs, vulnerabilities, or attacks in an attempt to build an accurate “state of the state.” The popular question of late seems to be “Is the ecosystem getting more or less secure?”

In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration – got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

MS09-035 – Moderate: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) – Version:3.1

Severity Rating: Moderate – Revision Note: V3.1 (July 27, 2011): Corrected the update verification information for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package, Microsoft Visual C++ 2008 Redistributable Package, and Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. Removed the registry key information in favor of product codes. This is an informational change only.Summary: This security update addresses several privately reported vulnerabilities in the public versions of the Microsoft Active Template Library (ATL) included with Visual Studio. This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin.

Categories: Uncategorized Tags:

MS11-027 – Critical: Cumulative Security Update of ActiveX Kill Bits (2508272) – Version:1.1

Severity Rating: Critical – Revision Note: V1.1 (July 27, 2011): Added class identifiers for the Microsoft WMITools ActiveX Control described in this bulletin’s vulnerability section for CVE-2010-3973. This is an informational change only. Customers who have already applied the “Prevent COM objects from running in Internet Explorer” workaround for this vulnerability should reapply this workaround with the additional class identifiers.Summary: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls.

Categories: Uncategorized Tags:

MS11-027 – Critical : Cumulative Security Update of ActiveX Kill Bits (2508272) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (July 27, 2011): Added class identifiers for the Microsoft WMITools ActiveX Control described in this bulletin’s vulnerability section for CVE-2010-3973. This is an informational change only. Customers who have already applied the “Prevent COM objects from running in Internet Explorer” workaround for this vulnerability should reapply this workaround with the additional class identifiers.
Summary: This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft software. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page that instantiates a specific ActiveX control with Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for three third-party ActiveX controls.

Categories: Uncategorized Tags:

Follow the latest privacy and online safety news

July 26th, 2011 No comments

The official Twitter account for the Microsoft Privacy team has relaunched at twitter.com/MSFTPrivacy.

@MSFTPrivacy was launched for us to engage in real-time with our privacy community.  We will use this channel to talk about privacy issues, while raising awareness of Microsoft’s approach to addressing concerns through our data governance policies. Here are recent updates you might be interested in:

Follow the Microsoft Privacy team.

The Microsoft Online Safety team also regularly tweets at twitter.com/safer_online. Here, the focus is on Internet safety for families, but we also include relevant privacy and security news.

Recent updates:

 Follow the Microsoft Online Safety team.

Announcing the newest MMPC Research and Response Lab

July 26th, 2011 No comments

I’m very excited to announce that today, the MMPC is opening a new research and response lab in Munich, Germany!

Why Munich? Well, this central location in Europe enables the MMPC to be more agile in responding to threats across Europe, the Middle East, and Africa. The new lab complements the existing European antimalware lab in Dublin, Ireland. Both of these labs will be led by 20-year veteran antimalware researcher Katrin Totcheva.

Katrin is here with me, in Munich, for the opening of the new lab, and to introduce the new members of our team of researchers into the MMPC family. We now have research and response labs in Redmond, USA; Dublin, Ireland; Melbourne, Australia; Vancouver, Canada; Munich, Germany; and additional researchers located in New York, Los Angeles and Beijing. As we see adoption of our products and services increasing internationally – such as Office 365, Internet Explorer 9, Windows InTune and Bing – the MMPCs global presence lets us respond quickly and effectively to the changing threat landscape. I’m proud of the significant investment Microsoft has made, and continues to make, in protecting our customers.

You’ll see the results of the research carried out in these labs in our products and services, including Microsoft Security Essentials and Windows Defender, as well as the Microsoft Forefront suite of products.

If you’d like more information about the MMPC and the technologies we support, we recently published two new whitepapers; Malware Research and Response at Microsoft, which describes how our team works, and Introducing Microsoft Antimalware Technologies, which gives more background on the antimalware engine.

Keep up to date with the latest MMPC announcements on our Facebook page, and via our Twitter account.

For now, Auf Wiedersehen from Germany!

Vinny

Categories: Uncategorized Tags:

Backdoor Olyx – is it malware on a mission for Mac?

July 26th, 2011 No comments
The recent emergence of rogue security software applications for Mac demonstrates how cybercriminals effectively use social engineering techniques to manipulate users’ responses – specifically, exploiting user’s fear of revealing sensitive information such as credit card details. This scare tactic evidently works regardless of the platform.  While financial gain is primarily the motivation that drives elaborate schemes of Internet fraud, a threat that appears limited and specific to its target raises interesting questions about whether this threat is on a mission.
 
A recently discovered backdoor for Mac (that we detect as Backdoor:MacOS_X/Olyx.A) was found in an interesting package named “PortalCurrent events-2009 July 5.rar”, anonymously submitted through VirusTotal (SHA1 1c100e7f3bda579bb4394460ef530f0c6f63205c).  The package suggests that the content was extracted from Wikipedia community portal current events 2009 July 5 page ; although, the revision history shows that the last edited version was a year ago. However, if this is true, the update to the package could be an attempt to slip in a backdoor.
 
The content folder includes photos from events on June 15th 2011. Alongside are two malicious binary executable files (with SHA1s 90EBC867D3E69F10FC45E28DC87789B1C7092C5F and
0B0CA1263DF13E124A8DB0B744F8A6462E41FE44):
  • Video-Current events 2009 July 5.exe (205,480 bytes) PE EXE
  • Current events 2009 July 5 (50,956 bytes) Mach-O I386
In an interesting side note, the malicious Windows executable file (detected as Backdoor:Win32/Wolyx.A) contained a valid digital signature as follows:
 
Issued By:      WoSign Code Signing Authority
Issued To:      CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Thumbprint:     4C5F10834A0E0EF74EA7DE36A21BD327373421D2
Sign Time:      (None)
Effective On:   11/03/2009 00:00
Expired On:     11/02/2012 23:59
 
Note: This certificate has since been revoked.
 
The Mach-O binary file targets Mac OS X users. It installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named “google” in the /Library/Application Support directory, where the backdoor installs as “startp”. It also keeps a copy in the temporary folder as "google.tmp".  It creates “www.google.com.tstart.plist” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in – this applies to all accounts on the system.
The backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established.
 
Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia.
 
Furthermore, another interesting observation here is that the feature set and the code found in this backdoor appear to be similar to that of Gh0st RAT 3.6, also known as “Ghostnet”. We detect the Ghostnet backdoor as Backdoor:Win32/Remosh.A.
Meths Ferrer

Microsoft offers $250,000 reward for information on botnet

July 22nd, 2011 No comments

This week, Richard Boscovich, Senior Attorney for the Microsoft Digital Crimes Unit, announced a $250,000 bounty for information that results in the identification, arrest, and criminal conviction of those responsible for controlling the Rustock botnet.

Microsoft shuttered Rustock (a major source of spam) back in March and we continue both to search for the cyberciminals responsible and to help people regain control of their Rustock-infected computers. If you think your computer might be at risk, learn how you can remove and avoid computer viruses.

Anyone who has with information about Rustock should contact their international law enforcement agency.

For more information, see Microsoft Offers Reward for Information on Rustock.

MS11-056 – Important: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938) – Version:1.1

Severity Rating: Important – Revision Note: V1.1 (July 21, 2011): Added a link to Microsoft Knowledge Base Article 2507938 under Known Issues in the Executive Summary.Summary: This security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

Categories: Uncategorized Tags:

MS11-056 – Important : Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (July 21, 2011): Added a link to Microsoft Knowledge Base Article 2507938 under Known Issues in the Executive Summary.
Summary: This security update resolves five privately reported vulnerabilities in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS). The vulnerabilities could allow elevation of privilege if an attacker logs on to a user’s system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

Categories: Uncategorized Tags:

3 tips to avoid summer travel scams

July 19th, 2011 No comments

Right now, in the United States, summer vacation season is here and so are scams. Here are three tips to help you avoid summer travel scams.

1. Watch out for deals that look too good to be true. If you’re still making vacation plans, then you’re probably looking for deals. If a deal looks too good to be true, it probably is. Scammers regularly post fake vacation rental home ads on sites like Craigslist and “free vacation” offers that you get by email probably have strings attached. 

If you’re buying tickets or vacation packages online, make sure you follow the same due diligence that you do whenever you buy anything online.
 
For more information, see Email and web scams: How to help protect yourself.
 
2. Your friend probably didn’t just get robbed in a foreign country. A scammer can take over (or hijack) an email account and send an email to you that looks like it is from a friend. When scammers hijack an email account they regularly prey on the goodwill of the people in your contact list. If you get an email from a friend who needs you to send him money while he’s on his vacation, be suspicious. Find a different way to try to contact your friend to find out if this email really came from him. With Hotmail you can now report a friend who you think has been scammed, even if that friend doesn’t use Hotmail.

For more information, see “I’ve been mugged. Send money!”


3. Be careful with vacation details that you post on your social networking sites and out-of-office emails. We’re not saying that you shouldn’t brag about your Italian vacation to all of your Facebook friends and Twitter followers. We’re just suggesting that you wait until you get home in order to prevent this information from falling into the wrong hands.

For more information, see 11 tips for social networking safety.

Finally, while you probably need to set up an email auto-responder to inform your co-workers that you’ll be out of the office, you probably don’t need to do the same for your personal email account. You can decide if it’s worth it to risk alerting cybercriminals that you’re on vacation.
For more information about security on-the-go, see our Mobile and wireless section.

Errors When Using the FEP 2010 Definition Update Automation Tool

by Michael Cureton

We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.

Definition Update Automation Tool fails to add new definition updates to the deployment package

 

Symptoms

The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:

SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added.
  at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
  at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
  at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments)
  at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)

 

Cause

More than one FEP 2010 definition update is being detected as active by the tool.

More Information

The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:

  1. One or more FEP 2010 definition updates has been expired but not superseded, OR
  2. One or more FEP 2010 definition updates has been orphaned.

To confirm if you’re experiencing condition #1 or #2, run the below WMI query:

SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0

If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.

Workarounds

Condition #1

If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.

For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”

Condition #2

If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.

For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.

Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.103.1405.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.105.2231.0)
Definition Update for Microsoft Forefront Endpoint Protection 2010 – KB2461484 (Definition 1.107.713.0)

After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.

Locate the created view in the WSUS console. Change the Approval value to “Any Except Declined” and the Status to “Any” and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.

NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.

Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.

Definition Update Automation Tool does not refresh distribution points

 

Symptoms

The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.

 

Workarounds

Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:

SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP

Troubleshooting with the New Sysinternals Administrator’s Reference

July 18th, 2011 No comments

Aaron Margosis and I are thrilled to announce that the long awaited, and some say long overdue, official guide to the Sysinternals tools is now available ! I’ve always had the idea of writing a book on the tools in the back of my mind, but it wasn’t until…(read more)

Categories: Uncategorized Tags:

Q&A From July 2011 Security Bulletin Webcast

July 15th, 2011 No comments

Hello,

Today we published the July Security Bulletin Webcast Questions & Answers page. We fielded thirteen questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, August 10th at 11am PDT (UTC -7), when we will go into detail about the August bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, August 11, 2011
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Categories: Uncategorized Tags:

What’s a virus? What’s a worm? Does it matter?

July 15th, 2011 No comments

You probably already know that to keep your computer safe, you need to:

 But we can also be tricked into installing malicious software (malware) ourselves. 

Last month Ed Bott posted an interesting piece about this in his Microsoft Report blog. He also makes a compelling argument that the difference between viruses, worms, spyware, and Trojans doesn’t matter as much as it used to. They’re all nasty and all we want to do is to keep them off our computers.

For more information, see Trojans, viruses, worms: How does malware get on PCs and Macs?

Categories: malware, security Tags:

Repack: A sneaky way to make a Yuan

July 15th, 2011 No comments
Nowadays, when people want to download software, they usually search for it using a search engine that leads them to a download site. But some software on these sites may be harmful. In China, more and more software package authors are using these download sites in a malicious way in order to make money. They add other unwanted software into the normal software package – this is called a “repack”.
Some time ago, one of our customers intended to download a web browser but instead downloaded a malicious installation package that we now detect as TrojanDownloader:Win32/Startpage.NZ (SHA1: FAFA0BD6AA6A59439DF01E82750D72D7E13E5637).
Installer package
It appears to be a normal install package, but after installation with default options, it adds many shortcuts to an affected user’s desktop and pops up advertisements. It also modifies the Internet Explorer home page, and adds some fake Internet Explorer shortcuts in the quick start area (which are also advertisements).
Short cuts added to desktop

We can see that this is a repacked package, and the following installer script was been added, complete with download links:

Installer script containing download links
All of these URLs are related to advertising. The author of the package will make money from them. Many users download and install software from various websites, but not all of these websites provide official or legitimate installation software packages. Some may even be harmful.
If you want some software, as always, we recommend that you download it from a legitimate and verified source. We also recommend that you take advantage of the SmartScreen filter feature in Internet Explorer 9. Smartscreen Filter works with Download Manager to help protect you from malicious downloads. Potentially risky downloads are immediately blocked. Download Manager then clearly identifies higher risk programs so that you can make an informed decision to delete, run, or save the download.
by Haoran Yu

Categories: Uncategorized Tags:

How to move the FEP Databases and the CM Site Database

by Jeramy Skidmore

You can move the Configuration Manager site database and associated Forefront Endpoint Protection (FEP) databases after setup has completed to a different SQL Server computer system by:

  1. Backing up the FEP data warehouse (FEPDW_<sitecode>)
  2. Backing up the Configuration Manager Site Database (SMS_<sitecode>)
  3. Uninstalling the FEP reporting component
  4. Restoring the site database and FEP data warehouse to their new locations
  5. Relocating the site database via Configuration Manager setup
  6. And then reinstalling the FEP Reporting component

Detailed steps follow.

clip_image001Note

Configuration Manager 2007 does support moving the site database from a remote SQL Server to the local site server computer if the site server computer is running a supported version of Microsoft SQL Server. For a list of supported SQL Server versions, see Configuration Manager Supported Configurations.

clip_image001[1]Note

FEP hosts two databases, the FEP database (FEPDB_sitecode) and the FEP data warehouse (FEPDW_sitecode). The FEP database serves as a proxy database for extracting data from the Configuration Manager site database. It does not need to be backed up or moved, and will be recreated when the FEP Reporting component is reinstalled.

To move the databases

Important: You will require access to the FEP 2010 installation media in order to successfully complete these steps.

  1. Back up the site database on the current site database server and restore it on the new site database server computer using the SQL Server Management Studio. For more information, see How to Move the Site Database.
  2. Back up the FEP data warehouse (FEPDW_sitecode) on the current FEP Reporting SQL Server and restore it to the new Reporting SQL Server. (If you have a remote reporting database and are not moving the FEP reporting database, you can skip this step.)

    clip_image001[2]Note

    Ensure that the database access permissions are the same on the new databases as they are on the original databases.

  3. On the site server, in Add/Remove programs, uninstall Microsoft Forefront Endpoint Protection 2010 Reporting.
  4. Ensure the primary site server computer account has administrative privileges over the new site database server computer.
  5. Close any open Configuration Manager console connections to the site server.
  6. On the primary site server computer, use the hierarchy maintenance tool (Preinst.exe) to stop all site services by using the following command: Preinst /stopsite.
  7. On the primary site server computer, click Start, click All Programs, click Microsoft System Center, click Configuration Manager 2007, and click ConfigMgr Setup, or navigate to the .\bin\i386 directory of the Configuration Manager 2007 installation media and double-click Setup.exe.
  8. Click Next on the Configuration Manager Setup Wizard Welcome page.
  9. Click Perform site maintenance or reset this site on the Configuration Manager Setup Wizard Setup Options page.
  10. Select Modify SQL Server configuration on the Configuration Manager Setup Wizard Site Maintenance page.
  11. Enter the appropriate SQL Server name and instance (if applicable) for the new site database server as well as the site database name on the Configuration Manager Setup Wizard SQL Server Configuration page.
    Configuration Manager Setup performs the SQL Server configuration process.
  12. Restart the primary site server computer, and verify the site is functioning normally.
  13. On the site server, run serversetup.exe from the FEP installation media.
  14. On the Installation Options step, choose Advanced Topology.
  15. On the Advanced Toplogy step, ensure that FEP 2010 Reporting and Alerts is selected.
  16. On the Reporting Configuration step, provide the proper computer, instance, and database name for your SQL implementation. Ensure the Reuse existing database check box is selected.
  17. Proceed through setup. This process will recreate the FEP database alongside the relocated site database, and recreate the SQL jobs necessary to move information from the site database into the FEP databases. The FEPDB will be repopulated according to the information stored in the site database.